Cryptolocker Ransomware

[johnrobert]

Client has got Cryptolocker Ransomware with red logo
I clicked on all the links to get to pay site non work even using Tor

I read there’s a free service were you upload a file and they send you a decryption tool

It used to be either pay or you don’t get your files back has this changed

They want 2.5 bitcoins

 

[Markverhyden]

Have you verified that the files are actually encrypted? From what I understand one will not see the ransom page unless encryption has been completed and it has reported back to the C&C server. Maybe they are temporarily down. At any rate there are some posts on here where decryptors have been noted.

https://www.technibble.com/forums/threads/kaspersky-ransomware-decryptor-coinvault.63178/

That is the most recent one. There are some others as well.

 

[johnrobert]

Thanks for the quick reply Mark


$550 US is almost $800 CAD
he would like his files back of course but $800 is too much, and he has no backup.

Its XP so no shadow copy or previous version

They are all encrypted they all end with extension ecc

ben.jpg.ecc
2011 VIBS FORK LIFT ORDER.doc.ecc
AGE JOKE.doc.ecc

 

[FremontPC]

Sounds like it's Teslacrypt. Cryptolocker's C&C servers got shut down some time ago. There's a fake Cryptolocker going around called PCLock. This might be some kind of munge between the two.

Over on Bleeping Computer, Fabian from Emsisoft has come up with a decrypter for some file types that were hit by PCLock. If this is some type of hybrid, you might have better luck using Photorec to an external drive and just grabbing what you can.

http://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/

 

[Markverhyden]

Hopefully this is not a MSP situation John. At any rate have your tried force opening files with the appropriate app? Just a stab in the dark. Other than the various decryptor possibilities about the only other thing you could do is scan the drive with something like R-Studio and look at the recovery by file type to try to get auto saves.

Edit: many people send and receive files via email so maybe that may be something to look at.

 

[FremontPC]

Here's the BC topic on TeslaCrypt:

http://www.bleepingcomputer.com/for...pt-ransomware-sets-its-scope-on-video-gamers/

One tech reports paying the ransom, but the decrypter didn't work.

 

[johnrobert]

[/IMG]

 

[FremontPC]

Yeah, that's going to be a copycat. Did the infection delete itself or do you still have the files?

 

[FremontPC]

As a matter of fact, that matches the ransom note for TeslaCrypt. As there's no decrypter yet (afaik), I'd suggest you abruptly shut the system down so Windows doesn't write to the drive, then slave the drive and use Photorec to see what you can get. Just be sure you point Photorec to an external recovery drive, so you don't change the original drive at all.

 

[pceinc]

I've not seen any Cryptolocker variant rename the files. Not come across Teslacrypt. Theere is a new variant called Cryptovault which renames files with a vault extension. Not not appear your client has this version.

You state there is little reward for a bill? Why is this? You should at least make a nuke and pave fee whether he decides to pay the ransom or not.
If a client is infected with this and all files are lost, we nuke and pave no matter what. It's easier for us and cheaper for the client especially if the PC has a built in restore.

 

[nlinecomputers]

I wouldn't waste a lot of time on this. If the client is unwilling to risk and pay the ransom then move on. There is NO method of decrypting files without a key. Even the Emsisoft tool is using a known key(sloppy programing by the virus writer).

 

[frase]

I wouldn't waste a lot of time on this. If the client is unwilling to risk and pay the ransom then move on. There is NO method of decrypting files without a key. Even the Emsisoft tool is using a known key(sloppy programing by the virus writer).

I agree, even if you "remove" the encryption chances are it is still residing somewhere. Nuke and Pave it's up to the customer to have backups.

 

[mikemcg]

Try to get the files out of the Volume Shadows - http://www.shadowexplorer.com/downloads.html

Had 4 clients with CryptoWall 3 in the last 4 weeks, 2 did not have proper backups and this saved the day.